Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Broken ISE deployment

Hi all,

I need to change the IP addresses in an ISE 1.2 HA deployment (a primary/secondary pair). The tricky part is that the deployment was broken before I could get my hands on the servers.

I can make the primary server stand alone, and perform the address change, but for the secondary server I do not seem to have that option.

So what is the proper procedure to be able to reconfigure the IP address of a "broken" secondary server?

Thanks,

Lennart

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Broken ISE deployment

Since it's the secondary, I wouldn't spend too much time getting frustrated over it.  A re-image might be just the cure you're looking for.

You can still do backups from the "broken" secondary?  That way, you always have a failsafe.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Cisco Employee

Broken ISE deployment

Hi Walfors,

The good part here is that you are able to successfully make your Primary node as standalone. You can take the backup of this standalone node to be on safer side.

Normally when you perform the deregister operation from Primary ISE node, then the secondary node will be turned to standalone and you will be having a safe standalone node.

As you are saying that your secondary node even after de-registering from primary it is still in Secondary mode and you cannot do any operations to this Secondary node.

If you are having concern about the certificates then I would recommend to take the backup of certificates by logging into secondary node GUI and go to  Administration -->Server Certificates -->Click on the certificate you want to export and then click on export button.

Now you are good to perform the reset-config operation on your secondary ISE node. Go to CLI and trigger the command "application reset-config ise ". This command will reset all your exisiting data with the default data .

Once after succesful completion of reset-config operation then if required you can restore the certificates that were exported and then join this node back to the deployment.

This way is the clean setup process.

If you do not want to perform the reset-config operation and need to be debugged further why the deployment is broken I would suggest you to raise service request with TAC .

3 REPLIES
Cisco Employee

Broken ISE deployment

Since it's the secondary, I wouldn't spend too much time getting frustrated over it.  A re-image might be just the cure you're looking for.

You can still do backups from the "broken" secondary?  That way, you always have a failsafe.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Cisco Employee

Broken ISE deployment

Hi Walfors,

The good part here is that you are able to successfully make your Primary node as standalone. You can take the backup of this standalone node to be on safer side.

Normally when you perform the deregister operation from Primary ISE node, then the secondary node will be turned to standalone and you will be having a safe standalone node.

As you are saying that your secondary node even after de-registering from primary it is still in Secondary mode and you cannot do any operations to this Secondary node.

If you are having concern about the certificates then I would recommend to take the backup of certificates by logging into secondary node GUI and go to  Administration -->Server Certificates -->Click on the certificate you want to export and then click on export button.

Now you are good to perform the reset-config operation on your secondary ISE node. Go to CLI and trigger the command "application reset-config ise ". This command will reset all your exisiting data with the default data .

Once after succesful completion of reset-config operation then if required you can restore the certificates that were exported and then join this node back to the deployment.

This way is the clean setup process.

If you do not want to perform the reset-config operation and need to be debugged further why the deployment is broken I would suggest you to raise service request with TAC .

New Member

Broken ISE deployment

Charles & ginjupa,

Thank you for your answers. I stopped crying and did the "application reset-config ise"! The deployment was quickly restored.

Best ones,

Lennart

327
Views
0
Helpful
3
Replies